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Abstract — This paper considers tiie problem of securing a 
linear network coding system against an adversary that is both an 
eavesdropper and a jammer. The network is assumed to transport 
n packets from source to each receiver, and the adversary is 
allowed to eavesdrop on fi arbitrarily chosen links and also to 
inject up to t erroneous packets into the network. The goal of the 
system is to achieve zero-error communication that is information- 
theoretically secure from the adversary. Moreover, this goal must 
be attained in a universal fashion, i.e., regardless of the network 
topology or the underlying network code. An upper bound on 
the achievable rate under these requirements is shown to be 
n — 2t packets per transmission. A scheme is proposed that 
can achieve this maximum rate, for any n and any field size q, 
provided the packet length m is at least n symbols. The scheme is 
based on rank-metric codes and admits low-complexity encoding 
and decoding. In addition, the scheme is shown to be optimal in 
the sense that the required packet length is the smallest possible 
among all universal schemes that achieve the maximum rate. 

I. Introduction 

Consider a network implementing linear network coding 
for multicast The network may be subject to two types 
of attacks: a malicious user injects corrupt packets into the 
network in order to disrupt communication; an unauthorized 
eavesdropper intercepts packet transmissions in order to ob- 
tain as much information as possible about the transmitted 
messages. The linear mixing performed by network coding 
presents challenges to coding schemes in both scenarios, and 
has motivated a significant amount of research. 

This paper considers the problem of dealing with the 
aforementioned attacks in a universal fashion, i.e., in a way 
that is completely independent of the network topology and 
the specific network code. This has the advantage of produc- 
ing schemes that are compatible with noncoherent (random) 
network coding |2|. Also, we focus on the most stringent 
requirements of zero error probability and zero information 
leakage, i.e., perfectly reliable and perfectly secure (in the 
information-theoretic sense) communication. 

Most of the previous work on this problem deals with the 
special cases where only error control or only security is 
required. A dividing assumption among these works refers 
to the constraints on the packet length m. For a system that 
is required to work under any packet length (in particular, 
under m = 1), the error control problem has been extensively 
discussed in Q-Q (see references therein) and the security 
problem has also received significant attention ||6l-|[8l. In all 
of these works, the proposed solutions require knowledge of 
the network code, and therefore are not universal. On the 



other hand, universal schemes have been proposed for the 
case where m is required to be sufficiently large; this is the 
approach taken in ||9l, ifTOl for error control and in ifTTl for 
security. 

When both requirements of error control and security are 
combined, the problem becomes harder, and a simple con- 
catenation of an error control scheme and a security scheme 
may not necessarily work. The reason is that, if error control 
coding is followed by security coding, the overall codeword 
may not be robust to errors and, similarly, if security coding 
is followed by error control coding, the overall codeword may 
not be robust to eavesdropping. Previous work on this problem 
has been limitec|3 to non-universal schemes |,13J, I.14J . which 
require knowledge of the network code. 

In this paper, we propose a universal scheme that 
achieves perfectly reliable and perfectly secure communica- 
tion. Namely, in a network with a maxflow of n packets, if at 
most t error packets are injected in the network, and at most 
/i packets are observed by an eavesdropper, then our scheme 
can provide perfectly secure and reliable communication while 
achieving a rate of k = n — 2t — fi packets per transmission. 
This rate is shown to be optimal. Note that a similar upper 
bound on rate has been shown lfT4l in the context of non- 
universal network coding with m = 1, but it does not apply to 
the problem considered here (since it ignores the possibility 
of exploiting m > 1 in the coding scheme). 

A requirement of our scheme is that the packet length m 
must be at least n symbols. We show that this value is optimal, 
in the sense that it is the smallest packet length of a universal 
scheme achieving the maximum rate. 

A main tool in the design and analysis of our scheme is the 
theory of rank-metric codes ITSll . We show that our scheme 
can benefit from existing efficient algorithms for rank-metric 
codes [lOJ . [16], and therefore can be encoded and decoded 
with low complexity. 

It is worth mentioning that there is another line of work 
that relaxes the assumption of zero error probability (requiring, 
instead, vanishingly small error probability) ifTTI . lITSll . In this 
case, even higher rates can be achieved ifTSl . however, the 
packet length must be asymptotically large. 

The remainder of the paper is organized as follows. Sec- 
tion [n] establishes the notation used and reviews background 
material on rank-metric codes and linear network coding. In 

'except for an eailier, suboptimal version of this work. See fTTl. fill. 



Section |III1 we define the problem of combined error control 
and security. In Section IIVI we review existing techniques 
for the special cases of either error control or security only. 
We also provide new results and insights for these scenarios, 
which will be useful for our proposed scheme. In Section IVl 
we present our scheme and show that it achieves the desired 
goals. In Section IVII we prove that our scheme is optimal 
both in the sense of maximal rate and smallest packet length. 
In Section rvni we discuss how the scheme can be extended to 
the case of noncoherent network coding. Finally, Section [Villi 
presents our conclusions. 

Some proofs are omitted due to lack of space. The full 
version of this work is being incorporated in the revised 
version of ifTTl . 



proposed by Gabidulin ifTsl . A Gabidulin code is an [n, fc] 
linear code over F^m defined by the generator matrix 



II. Background 



A. Notation 



Let be a finite field. Let F^^"* denote the set of all n x m 
matrices over F^, and set F^ = F^^^. Let F^™ be an extension 
field of Fg. Recall that F^m is an m-dimensional vector space 
over Fq. Thus, by fixing a basis for F^m over F^, elements 
of may be viewed as (row) vectors in Fj^™ and vice- 
versa. This identification will be used extensively throughout 
the paper In particular, we may view a column vector in F^'m 
as a matrix in F"^™ and vice-versa. 



B. Rank-Metric Codes 

Let X, F G F^^™ be matrices. The rank distance between 
X and Y is defined as dR(X, Y) — rank(F— X). As observed 
in ifTSl . the rank distance is indeed a metric. 

A rank-metric code C C F^x™ is a matrix code (i.e., a 
nonempty set of matrices) used in the context of the rank 
metric. The minimum rank distance of C, denoted d^{C), is the 
minimum rank distance between all pairs of distinct codewords 
of C. 

There is a rich coding theory for rank-metric codes that 
is analogous to the classical coding theory in the Hamming 
metric. In particular, the Singleton bound for the rank metric 
ifTol . ifTsl states that every rank-metric code C C F^*^"" with 
minimum rank distance d must satisfy 



|C|<<Z 



max{ n.m} (min{n,m} — 



(1) 



Codes that achieve this bound are called maximum-rank- 
distance (MRD) codes and they are known to exist for all 
choices of parameters q, n, m and d < min{n, m} [15 |. 

In the context of the bijection between F^^™ and F^m, a 
rank-metric code may described as a block code C C F^™ 
of length n over F^™. (Note that, differently from classical 
coding theory, here we treat each codeword as a column 
vector. However, to avoid confusion, we will keep the standard 
notation on generator and parity-check matrices of linear 
codes.) 

It is particularly useful to consider linear block codes over 
Fgm. For TO > n, an important family of such codes was 



G = 



9'o 
9i 



.91 



9l 
9t 



9\ 



9l- 



(2) 



where the elements go,...,gn-i £ Fgm are linearly inde- 



pendent over ¥q. It is shown in iTSl that the minimum rank 
distance of a Gabidulin code is d = n — fc + 1, so the code is 
MRD. 

C. Linear Network Coding 

The basic model for a (multicast) communication system 
using linear network coding is that of a finite-field matrix chan- 
nel. At each channel use (generation) a source node transmits 
a batch of n packets, each consisting of to symbols from a 
finite field F^, which can be regarded as the rows of a matrix 
X G F^^'". Each link in the network transports a packet 
free of errors, and each node creates outgoing packets as Fg- 
linear combinations of incoming packets. The specification 
of all such linear combinations defines the network code. 
The packets received by a (specific) destination node can 
be regarded as the rows of an x m matrix Y = AX, 
where A G F^^" is the transfer matrix that describes the 
linear transformations incurred by packets on route to the 
destination. The system is said to be coherent if A is known 
to each corresponding destination; otherwise, it is said to be 
noncoherent. The linear network code is said to be feasible if 
every transfer matrix to a destination has rank n (so that, in a 
coherent system, each destination is able to recover X). 

The system described above is referred to as an [n x to, k)q 
linear coded network, where k denotes the minimum rank 
among all transfer matrices. Thus, an [n x m, n)q linear coded 
network contains a feasible network code. 

III. Problem Statement 

For simplicity, we restrict attention to a single destination, 
since all the results in this paper can be immediately ex- 
tended to multiple destinations. In addition, we focus on the 
fundamental case of coherent network coding; extensions to 
noncoherent network coding are described in Section IVIII 

The basic model for linear network coding described in 
Section III-CI can be extended to incorporate packet errors. 
Suppose that at most t errors can occur in any of the links, 
causing the corresponding packets to become corrupted. In 
this case, we will say that the network is subject to t errors. 
Assuming, without loss of generality, an additive error model, 
the matrix received by the destination can be expressed as 

Y = AX + DZ 

where Z G ifr*x™ is a matrix consisting of the error packets 
injected and D G F^^* is the transfer matrix from the affected 
links to the destination. Note that D depends on the set of links 
in error. 



This model can be further extended to include an eavesdrop- 
per adversary, in the spirit of the wiretap channel II of Ozarow 
and Wyner I.19J . The eavesdropper is assumed to have access 
to the packets transmitted on any /i arbitrarily chosen links 
in the network. In this case, we will say that the network 
is subject to fj, observations. Let W G F^^™ be a matrix 
consisting of the packets observed by the eavesdropper. Then 
W can be expressed as 

W = BX 

where i? £ F^^" is the transfer matrix from the source node to 
the eavesdropper. Note that B depends on the set of intercepted 
links. 

To ensure secure and reliable communication, the source 
node chooses the matrix X as the (possibly stochastic) encod- 
ing of some message S ^ S (which should be recovered by the 
destination but not by the eavesdropper). The coding scheme is 
said to be zero-error if S can be uniquely determined from Y, 
i.e., H{S\Y) — 0. Here we assume that A is a constant known 



to all, while D e F^^* 



and Z E F*^™ are unknown random 



variables with unknown distributions (which may depend on 
X). A zero-error scheme, in this context, may also be called 
t-error-correcting scheme. A scheme is said to be universally 
t-error-correcting if it satisfies 



H{S\Y) =0, VA: rank A 



(3) 



for any arbitrary distributions on D and Z. In other words, 
a universally t-error-correcting scheme must provide reliable 
communication for any of the choice of the (feasible) linear 
network code. 

The coding scheme is said to be (perfectly) secret if the 
eavesdropper gets no information about the message, i.e., if 
I{S\ W) ~ 0. Note that this requirement depends on the 
choice of B. A scheme is said to be universally (perfectly) 
secret under /i observations if it satisfies 



I{S-W) = Q, 



\/B e f;;""". 



(4) 



In other words, a universally secret scheme must guarantee 
secrecy for any choice of the linear network code. 

In this paper, we are interested in schemes that are both 
universally i-error-correcting and universally secret under ji 
observations, i.e., schemes that satisfy both (O and 

IV. Special Cases 

A. Error Control Only 

Consider an {n x m,n)q linear network subject to t errors 
but fj, = observations. In this case, condition (|4]i can be 
ignored. 

In the case of a deterministic encoding, the following 
characterization is given in 1201 . 



Theorem 1 ( [20]): Consider a deterministic encoder map- 
ping S E S to X E F^'^™ whose image is given by 
C C F^»x"\ There exists a universally i-error-correcting 
scheme with this encoder if and only if c?r (C) > 2t + 1. 



From the Singleton bound ([T]), it can be seen that the 
maximum rate achievable by a universally t-error-correcting 
scheme is given by max{n, m}(min{n, m} — 2t) symbols per 
transmission, and it is achieved by an MRD code. In particular, 
the rate of n — 2t packets per transmission is achievable only 
if m > n. 

In the case of a stochastic encoding, the result above does 
not necessarily hold, since it is conceivable that recovering S 
from Y does not necessarily enable the receiver to recover X. 
Still, it is possible to obtain the following equivalence result, 
which will be very useful in the sequel. 

Theorem 2: Consider a stochastic encoding from S E S 
to X E F^^™. The encoding admits a universally t-error- 
correcting scheme if and only if it admits a zero-error scheme 
for the coherent channel Y = AX, for all full-rank A E 

-jp,(ra-2t) xn 

Proof Omitted due to lack of space. ■ 

Essentially, Theorem |2] shows that any coding scheme that 
corrects t packet errors can be modified at the decoder to 
instead correct 2t "packet erasures" (i.e., rank deficiency), and 
vice-versa. 

B. Security Only 

Consider an {n x m,n)q linear coded network subject to 
/i observations but t = errors. In this case, H{X\Y) = 0; 
thus, condition (O can be replaced by H{S\X) = 0. 

It is shown in IJJJ that the maximum number of symbols 
per transmission that can be reliably communicated with a 
universally secret scheme is upper bounded by m{n — /i). 
Moreover, this rate is achievable only if to > n. 

A scheme is proposed in ifTTI that is able to achieve this 
maximum rate. The scheme uses Ozarow-Wyner coset coding 
Iil9j based on linear MRD codes. In order to describe the 
scheme, it is convenient to use the bijection described in 
Section Hl-AI and think of vectors in F^^™ as elements of the 
extension field F^m . Note that this is used solely to perform the 
encoding and decoding operations at the source and destination 
nodes, and has no impact in the F^-linear network coding 
operations performed at the internal nodes. 

Let C be an [n, /i] linear code over F^m with parity-check 
matrix H E F^™", where k = n — ji. Let the message be given 
by 5 G F^n,. Encoding is performed by choosing X E F^™ 
uniformly at random such that S — HX. In other words, S is 
viewed as a syndrome specifying a coset of C, and X is chosen 
as a random word from that coset. Decoding is performed 
simply by computing S — HX. It is shown in ifTTl that this 
scheme is universally secret if and only if C is an MRD code 
and m > n. 

We now describe a convenient way to perform the encoding 
process. Let T E F^™" be an invertible matrix such that H 
corresponds to the first k rows of T^^. Given a message 
S E F^m, the encoder chooses V E F^""'^' uniformly at 
random and independently from S, and produces X E F^™ 
by computing 

' S 



X 



V 



Note that S = HX. It is easy to show that H{X\S) = n-k, 
i.e., X is chosen uniformly at random given S. Thus, this 
encoder indeed implements a coset coding approach. 

We now give a security condition based directly on the 
matrix T rather than its inverse. 

Proposition 3: The encoder described above is universally 
secure under fj, < n — k observations if the last n — k rows 
of form a generator matrix of an [n,n — k] linear MRD 



code over 



with m > n. 



Proof: Let G G 
\Gi 
G 



~i(n — fc) X n 



and Gi E F^^" be such that 



Then 



7 


0' 




' H' 


= T-'^T = 





/ 


Hi. 



[Gf G^] ^ 



HGJ HG^ 
Hi G"[ Hi G^ 



Thus, HG'^ = 0. Since both G and H are full-rank, it 
follows that G and H are generator and parity-check matrices, 
respectively, for exactly the same code. ■ 

V. Proposed Scheme 

In this section, we propose a scheme that is universally t- 
error-correcting and universally secret under /i observations. 
The scheme achieves a rate of n — jj. — 2t packets per 
transmission and requires the packet length m to be at least 
n symbols. The scheme can be seen as a combination of 
the strategies for error control and security described in 
Section ITVl designed in such a way that they can be coupled 
without violating conditions ^ and (|4]i. In what follows 
we make use of the identification between Fj^™ and Wqm 
described in Section Hl-AI 

Assume that m > n and Q<k<n — ji — 2t. Let Go £ 
F^^i^^-*^" be a generator matrix of an [n, k + fi] linear MRD 
code over F^™. Suppose that the last ji rows of Go form a 
generator matrix G G F^^" of an [n,^i] linear MRD code 
over Fgn, . 

Encoding proceeds as follows. Given a message S G F^™, 
the encoder first produces an auxiliary variable 



by choosing y £ F|^ 



is uniformly at random and indepen- 
dently from S. Then, the encoder computes 

X = G^U. 



Note that the mapping from J7 to X is a deterministic 
mapping whose image is (a subset of) 

Co = {G^u,ue¥[t+'''>}. 

It follows from Theorem [T] that, when X is transmitted over 
an {n x m, n)q linear coded network subject to t errors, 
the receiver can uniquely determine U (and therefore S) if 
dR (Co) > 2t. Since Co is an [n, fc + /i] linear MRD code over 
Fgm, with m > n, we have that dR(Co) — n — k — fi + l > 
2t + 1. Thus, the scheme is universally i-error-correcting. 



In particular, decoding can be performed in two steps: first, 
applying a decoder for Cq in order to find U £ F^™^; then, 
extracting the message S as the first k rows of U. 

In order to prove the secrecy of the scheme, consider first 
an alternative interpretation. Let T £ F^*m" be an invertible 
matrix such that the last k + fi rows of correspond to the 
matrix Gq. Then, we have 



where 



S' 



"0' 




'S'' 


= T 


v_ 


u 





In other words, the encoder is identical to the encoder 
described in Section IIV-BI if S" is taken as the message. 
Furthermore, we have that the last ji rows of correspond 
to G, which is the generator matrix of an [n, ^] linear MRD 
code over Fgm . Thus, by Proposition[3](which holds regardless 
of the message distribution), we have that the scheme is 
universally secret under ji observations. 

The above analysis proves the following result. 

Theorem 4: The scheme described above is universally t- 
error-correcting and universally secret under /i observations. 

Our proposed scheme relies on the assumption that a 
generator matrix Go for an [n, fc + /i] linear MRD code Co 
exists such that its last /i rows form a generator matrix for 
another [n, ^] linear MRD code. It is easy to see that, if Go 
is taken as a generator matrix of a Gabidulin code given in 
the form dU, then any ^ consecutive rows of Gq (in particular 
the last ones) indeed form a generator matrix of an MRD sub- 
code. In this case, decoding of Co can be efficiently performed 
using the methods in flOl, fHl. ifTej. 

VI. Converse Results 

In this section, we prove that our proposed scheme is 
optimal, both in the sense of achieving the maximum possible 
rate and in the sense of requiring the minimum possible packet 
length among all schemes that achieve this maximum rate. 

Theorem 5: Consider an [n x m)q linear coded network. 
Assume that the source message has entropy of k packets. 
There exists a scheme that is universally t-error-correcting and 
universally secure under /i observations only if k < n~2t — pi. 
Moreover, this maximum rate can be attained only if to > n. 

Proof: Let n' = n - 2t. Let S £ F^^" be a full- 
rank matrix and let A £ be a full-rank matrix such 
that B = PA for some (necessarily full -rank) P £ F^^"'. 
Let Ya = AX and Wb ^ BX ^ PYa- If the encoder 
admits a scheme that is universally t-error-correcting then, 
by Theorem |2] it also admits a scheme that is zero-error for 
the coherent channel Ya = AX. Thus, there is a function 
Ja - F^'^™ S such that 5 /aCYa). In particular, there 
is also a function /: F;^'^'" ^ S such that S = f{X). Thus, 



we may write Xg — {x ^ jpnxm . j^-^,^ _ Now, 
k = H{S) 
^ H{S\Ya,Wb) + I{S;Ya,Wb) 



^I{S;Ya,Wb) (5) 

^I{S;Wb)+I{S;Ya\Wb) 

= I{S;Ya\Wb) (6) 

= H{Ya\Wb) ~ H{Ya\S,Wb) 

<H{Ya\Wb) (7) 

<n' - rank P = n' ~ fi (8) 



where ^ follows since 5 is a function of Ya and (|6]l follows 
since I{S;Wb) — 0. This proves the first statement. Now 
consider the second statement. Since dHJ holds with equality, 
we must have H{Ya\S, Wb) ^ and H{Ya\Wb) = n' - h. 
Note that these conditions hold for all full-rank B and all 
A e Ab, where 

AB = {Ae ^" : rank A = n' , {B) C {A)} 

and (•) denotes the row space of a matrix. This implies that 
H{Ya, Ae Ab\S,Wb) =0 and therefore H{Yb\S,Wb) = 
0, where Yb — AbX and Ab is the matrix consisting of the 
vertical stacking of all matrices in Ab- It is not hard to see 
that, as long as n' > fi, rank Ab = n. (In fact, Ab contains 
every nonzero vector of Fj^" as one of its rows.) It follows 
that HiX\S, Wb) = 0, for all full-rank B. Thus, X must be 
uniquely determined given Wb ~ BX and the indication that 
X e Xs- From Theorem [T] this implies that each Xg must be 
a rank-metric code with dB,{Xs) > n — + 1. 

On the other hand, we have seen that H{Ya\Wb) = rt' — /i 
for all full-rank P e F^^"' where Wb = PYa and B = PA. 
By the chain rule of entropy, it is not hard to see that this 
implies that Ya is uniform (for instance, by choosing some 
P's that are submatrices of an identity matrix, as in the wiretap 
channel II). Thus, H{Ya) ^ n', which implies that H{X) > 
n'. Since H{X) = H{X,S) = H{S) + H{X\S), we have 
that H{X\S) > n' — k — ji. Thus, there must be some s G 5 
such that H{X\S ^ s) > ^i, which impUes that \X,\ > g™'^. 
Together with the fact that dji{Xs) > n — /x + 1, we can see, 
from the Singleton bound that this can only happen if 
m > n. ■ 

VII. Extension to Noncoherent Network Coding 

The scheme described in the paper is suitable for coherent 
network coding and is indeed optimal. In the case of noncoher- 
ent network coding, the scheme can be adapted by including 
appropriate packet headers. More precisely, the transmission 
matrix should be [/ X] , where X is the transmission matrix 
of the original scheme. Clearly, including packet headers does 
not affect security, but it allows the scheme to be decoded 
when the transfer matrix A is unknown. It is shown in ifTOl 
that such adaptation preserves the error-correcting capability 
of the code, so the universally i-error-correcting property is 
maintained. Although the rate achieved in this case is no longer 
optimal, it is very close to optimal for all practical packet 
lengths [10 1 . 



VIII. Conclusion 

In this paper, we have proposed a universal end-to-end cod- 
ing scheme that can guarantee perfectly secure and perfectly 
reliable communication over a linear coded network subject 
to malicious interference and eavesdropping. The scheme is 
optimal both in the sense of achieving the maximum possible 
rate as well as requiring the smallest possible packet length. 
The scheme is based on rank-metric codes and admit efficient 
encoding and decoding algorithms. 
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